How to hack into 4 million hotel room, NFC hacked and other stuff from Black Hat security convention

It’s not a secret that every year a convention in the US keeps awake all the various law enforcement agencies from around the world. It’s called black hat and it’s a convention whose aim is to bring to light security flaws in application, websites, and anything else technical.

A couple of items stood out for me this year:

Apple was there: Apple who has been noticeably absent from the security conventions have attended the conference for the first time. This speaks volumes about their level of concern about their operating system. No longer is MAC virus/ malware free as we have seen with recent attacks, MACs are just as susceptible to attacks as everyone else.

NFC hacked: Charlie Miller, from Accuvant Labs, figured out a way to break into both the Google/Samsung Nexus S and Nokia N9 by using Near Field Communication (NFC) capability in the smartphones. Charlie demonstrated how he could crash the phone, read files on it and even make phone calls simply by being near it. Charlie’s device used to access the phone was the size of a postage stamp so it could easily be hidden next to a NFC payment system and take over the victim’s phone.

Hotels locks not safe: Hotels no longer give you a physical key to access your room, but you get a card that you insert into the lock to open the door. Cody Brocious, a Mozilla software developer demonstrated that with a $50 Arduino Microcontroller you can get access to 4 million hotel rooms – and it’s untraceable. The root of the hack is that the hotel lock keeps its unique 32 key identifier (“sitecode”)on the lock itself and by plugging in an Arduino Microcontroller and reading back to the lock its own identifier, it opens the door. The scary part that there is no quick way to fix this one. Every single lock has to be changed.

Chrome & Android issues: Android vulnerability was also exposed by Matt Johansen and Kyle Osborn from Whitehat Security. They have revealed a number of security issues in Google’s Chrome which could still be used maliciously.

They developed their own “extension” that allows an attack to launch internet port scan from the web browser with some simple coding. Osborn confirmed that he was able to upload the malicious extension to Google’s Web store by passing their internal virus-checkers.